OK. Thanks. So to block/allow traffic from network A to/from network B I would apply my rules to the FORWARD chain using a source/destination. The INPUT and OUTPUT chains on eth0 and eth1 are only for traffic bound for the firewall/router box itself? On Tue, 17 May 2011 23:29 +0200, "Pascal Hambourg" <pascal.mail@xxxxxxxxxxxxxxx> wrote: > Hello, > > netfilter@xxxxxxxxxxxxxx a écrit : > > > > In the following scenario. Someone makes a new HTTP request from the > > Internet that is allowed inbound on eth0 and goes out of the eth1 > > interface to the HTTP server in the server network. > > The HTTP server in the server network sends the response to the original > > requester. > > > > Does the response ever hit the INPUT chain of ETH1? > > No. > > > Or does it immediately go to the FORWARD chain > > Yes. > > > and out the OUTPUT chain of eth0. > > No. > The three filter chains are mutually exclusive : a packet can only go > through one of them. Forwarded packets only go through the FORWARD chain. > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
